On Sept. 20, veteran cybersecurity reporter Brian Krebs’ website was hit by an enormous distributed denial-of-service attack. The incident might have passed as just another in the seemingly endless series of high-profile incidents this year, if not for a major difference: This one involved the Internet of Things.
Krebs reported the assault was launched with the help of a botnet that spread malware to a number of IoT devices such as home routers, IP cameras and digital video recorders, all connected to the internet and lacking adequate protection.
Then, on Oct. 21, the IoT was harnessed for a much larger incident – a distributed denial-of-service attack on the internet infrastructure company Dyn that hobbled major websites including Twitter, Netflix, Spotify and Reddit. Multiple media outlets reported that the attack appeared to have relied on thousands of IoT devices without their owners’ knowledge.
The attacks should serve as a bright red flag for an industry that has spent the last few years fretting about a looming IoT security threat but hasn’t addressed the issue with the urgency it requires. It’s now imperative that better IoT security become an immediate priority.
There’s a relatively easy way to get the industry to move faster on improving IoT security: enforcing or updating federal and industry regulations and standards to help safeguard the IoT revolution (and, in fact, compel companies to better protect their web infrastructure overall).
No one likes red tape, and regulation for the sake of regulation is silly, but the fact is there are two main drivers that the corporate C-suites is waiting for devoting more budget to IoT and mobile security: headline-grabbing attacks and regulatory obligations.
Regulations, whether or not anyone likes it, can be a very effective hammer for greater good.
From improved health monitoring to safer highways to smart homes, IoT has already begun to touch the lives of millions of Americans and will become truly transformational in the years to come. Gartner forecasts that 6.4 billion connected things will be in use worldwide this year, up 30 percent from 2015, and will reach 20.8 billion by 2020.
Unfortunately, all those new connected devices also represent the next frontier for hackers. Gartner predicts that more than 25 percent of identified attacks in enterprises will involve IoT devices by the end of the decade. Yet too little attention has been paid thus far in protecting them.
The recent attacks provide a vivid and frightening snapshot of what can happen when innocuous everyday devices that weren’t made with network security in mind are exposed to the internet. One problem is simple design — the persistent use of weak or non-encrypted passwords that are little match for botnets scanning for vulnerable devices and brute-forcing usernames and passwords to gain access.
With mobile medical applications and wearable devices that better capture patients’ health data one of the first and most dramatic Internet of Things applications, the Health Insurance Portability and Accountability Act would be a good place to start in modernizing regulations for the post-IoT world.
The law states that medical providers must implement technical policies and procedures that allow only authorized persons to access electronic protected health information, but, beyond access control, HIPAA is short on details about securing web applications. With the advent of the IoT and a plethora of new web applications in the medical community, this is no longer good enough.
Similarly, the Gramm-Leach-Billey Act, commonly known as GLBA – which requires financial services companies to explain their information-sharing practices to their customers and to safeguard sensitive data – has a strong focus on access control but would benefit from specific language about IoT and web security vulnerabilities.
Other public-sector entities that could play a useful role in better IoT security standards include the National Institute of Standards and Technology and, in Europe, the Payment Services Directive 2 initiative to regulate payment services and providers throughout the European Union. Payment Card Industry (PCI) Standard also needs to be updated for both Mobile and IoT applications as “connected cars” are likely to have payment services built into various parts of the systems.
It’s evident that IoT security has gotten the government’s attention. For example, last year, the Federal Trade Commission issued a report – “Internet of Things: Privacy and Security in a Connected World” – that recommended companies take several steps to promote IoT security.
They include building security into devices at the outset rather than as an afterthought in the design process; better employee training; ensuring that third-party vendors maintain strong security; and monitoring connected devices throughout their expected life cycle.
Meanwhile, the White House’s National Science and Technology Council in October called for a closer look at the role regulation can play as new technologies advance. Though the panel’s report focused on artificial intelligence and not IoT per se, the language demonstrated the White House’s thinking that modernized regulations should be part of the equation as industry and society in general come to grips with technological change.
“If a risk falls within the bounds of an existing regulatory regime,” the report said, “the policy discussion should start by considering whether the existing regulations already adequately address the risk, or whether they need to be adapted to the addition of AI. Also, where regulatory responses to the addition of AI threaten to increase the cost of compliance, or slow the development or adoption of beneficial innovations, policymakers should consider how those responses could be adjusted to lower costs and barriers to innovation without adversely impacting safety or market fairness.”
That’s right. We don’t necessarily need another new regulation – the wrong ones can be harmful, in fact – but we must update the old standards to provide more clarity and enforcement guidelines around protecting the IoT and Web infrastructure in general.
As the Dyn and Krebs attacks proved, the time is now.
Mandeep Khera is chief marketing officer of Arxan, a provider of application attack prevention and self-protection solutions for Mobile, IoT, and other applications.